Security Incidents mailing list archives
FW: Event ID 644
From: Paul Snedden <psnedden () GBMLOGIC COM AU>
Date: Mon, 11 Dec 2000 13:57:12 +1100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I originally sent this message to the How-To Security List (also a part of SecurityFocus), but didn't receive any reasonable responses. Perhaps the membership of this list might be able to shed a bit more light. Paul
Last Friday afternoon (15:59), there is a group of entries in the Security Event Log of my PDCsaying that my personal domain acct had been locked out. This, in itself, is nothing short of odd, but isn't the reason for this question. The first three entries were identical, with the exception of the "Caller Machine", each of which had a different SID. My first question is which machines would this be? Do I have any way of finding this out? I'm assuming one is my PDC, another would be my BDC, but what about the third? Other than the PDC/BDC, I also have a RAS Server and a standalone server running IIS4 as a backend to our corporate website. All servers are running NT4/SP6a(RC1.3), my PC is running NT4WS/SP6a(RC1.3). So, what would the third entry be? If there was 4, I would have assumed that it was the other two servers, but seeing as there is just one, would the third entry be my PC? The second half of my question is a bit more bizarre. As I mentioned, there were six entries in the event log, in the order of (what I will call) "SID1", "SID2", "SID3". These three entries were duplicated some 23 seconds later, in the same order as above (SID1, SID2, SID3). Then, approximately an hour later, there was another eighteen(18) entries, these being in three groups of three, then duplicated 22 seconds later (just like it did above). I will give details of one of the groups of three: SID1 had three events logged, one saying my User acct had been locked out and gave all the relevant details. Looking at the "detail" section of the event, the top half of the screen showed "User" as my login name, and the "Computer" had the name of my PDC listed. The bottom half showed the "Target Account ID" as being my login name, the "Caller User Name" had the name of my domain listed, and the "Caller User Name" had a hex string listed. The second and third entries that SID1 had showed the "User" as "NT AUTHORITY\ANONYMOUS", but the "Computer" still had the name of my PDC listed. The "Target Account ID" was blank, and the "Caller User Name" showed a different hex string. This pattern was duplicated for both SID2 and SID3, then 22 seconds later, the entire pattern (of 9 entries) was duplicated. So. As Monday was a public holiday, I was more than a little surprised to see this when I came to work on Tuesday morning. When you add in the fact that our building got broken into over the weekend, it just looks a little TOO scary. Can someone help me make sense of all this?
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> iQA/AwUBOjO16Xz2HXQUsCJOEQK1WQCfQkPiPBHgeVteKslLqHGNhRZXJ8IAoPSo v0clbGYrJNGMgJkkv+HnjVt3 =3mnC -----END PGP SIGNATURE-----
Current thread:
- FW: Event ID 644 Paul Snedden (Dec 12)